Confidentializer® provides solutions for recurrent pain points encountered while building solutions that comply with the “Privacy by Design” GDPR requirement or have to manage confidential data along their lifecycle. Ensuring each user only has access to a limited data set, in any situation, proves to be a more complex task than expected. Also, with more and more Agile projects, who can access what when is something that evolves along a project, generating high evolution costs on APIs, and unfortunately creating opportunities for data breaches. This is an old debate around RBAC (Role Based Access Control) where classic role based solutions such as static roles in a directory are not sufficient to cover the security needs of modern applications.

Confidentializer® brings a dynamic RBAC approach which translates into the pure configuration of access controls (no code/low code). It can be used in two ways:

Generating a front-facing API that will securely manage and protect the data associated to the user journey, delegating complex actions to your business services.
As a slave to a front-facing API to inform in real time of the user access rights in a given context.

As such, Confidentializer® can be seen as a lightweight, security focused case manager that dynamically generates your front-facing APIs while taking care of a the security of your user journeys, optionally managing the persistence of the user journey’s data not managed in your business services.

A NoSQL engine is embedded for faster prototyping (and is production tested with thousands of users).

Confidentializer® : a security focused, no code case management API

Initially developed to solve the problem of managing confidential and classified data in collaborative processes, Confidentializer software suite aims to solve recurrent pain points in the Privacy by Design or Confidential Data Management setup of Web/Mobile APP and APIs. Those Privacy by Design pain points are encountered while managing contextual access rights, setting up flexible multi-factor authentication, shielding data from operators, transferring data between systems via a public cloud.

Confidentializer manages authentication( who is who), authorisation (who can do what) and signatures (who validates what) in a fully configurable way. Installed as a proxy in front of your business APIs, it generates without any coding a secure API that fully controls user actions and validations.

Contextual access rights management

Managing access rights has become a serious pain point of modern application development. User experience requires pages finely targeted for each user, at each step of the information lifecycle. Not only it is a complex task to build a service orchestrating Who can view/change What, When and in which context (Where), but troubles grow exponentially at each product iteration and access rights refinements, leading to security breaches and ruining the Privacy by Design statement. Keeping data private isn’t something static: many actors might use confidential or private data for the sake of completing a very specific process step, but shouldn’t have access otherwise, whether it’s before, after or in other circumstances.

Confidentializer WWWW

Our Who What When/Where engine manages fine grained access to each individual piece of information while adapting to your process : rights aren’t static anymore and become context dependant. It’s the basis for implementing the following data protection strategies:

Proactive and preventive access protection with a unique, systematic way of managing access to private and confidential data
Privacy by default by configuring default access contexts that can be extended on request
Privacy embedded into design by usage of the WWWW engine
Full functionality, down to enforcing privacy by encryption when necessary
Full lifecycle protection with contextual access and data creation/deletion as part of the process
Visibility with a privacy management process that can be documented
Respect for user privacy with a natively user-centric access management

The WWWW engine manages:

Read access
Write access
Should access (to inform front end that a marker should highlight data)
Actions that the user may see
Actions that the user may process
Actions that the user should process
Evolving process with contextual changes
- Data set access rights changes
- Individual access rights changes
- Data sanitisation and control changes
- API reshaping with extra/removed fields
- Back-end call reshaping

The WWWW engine is at the heart of Privacy by Design management, bringing a configuration based, fully reproductible authorisation service that enforces privacy in a contextual manner.

RestFul

Confidentializer exposes an oData-lite API to manipulate security and data objects. It also expose an S3 compatible entry point to build augmented, context dependant cloud storage applications.

2 Factor Authentication and digital signatures

Running MFA often requires setting complex and costly packages where one just needs to add the second factor capability to an APP/API. The 2FA SDK is part of the Condidentializer® suite and allows to attach, detach, resychronize and valide OATH OTP and TOTP tokens.

As part of the YobiDrive® key heritage, Confidentializer® also embeds an Online API with transaction identification that can be used for opening a vault, validating a transaction, authenticating on request…

Protecting a transaction by a signature (such a a wire transfer) is as simple as adding a configuration line. The transaction is automatically put on hold and released upon signature.

Operator shielding

Data Room oriented file sharing features

YobiDrive® inherited features provide the basis for a strong operator shielding. Some call it “Digital Safe” or “Digital Vault”. Using a user private key in addition to the authentication credentials allows to make data access impossible for the operations team as data is encrypted at rest.

To be compliant with hosting regulations Confidentializer® implements a key escrow service (typically the printed escrow key is held at a notary) .

A key concierge service is provided for a better user experience in dynamic workflows involving users that aren’t registered yet. Due to asymmetric cryptography limits, a user without a private/public key pair can’t be part of a process involving encrypted data : the concierge will hold his key until his registration.

Secure access and transport

Ad-hoc secure exchanges are always a critical point and require complex specialised packages that diminish the quality of integration with the core services. Confidentializer® provides two features based on the same root technology: SyncShuttle®.

This technology can be used in ad-hoc applications to build cloud based, fully integrated transport and access systems that put minimal constraints on each endpoint infrastructure.

Secure data transport (SyncShuttle®)

SyncShuttle® transports data in a secure way between two Confidentializer platforms or between a Confidentializer platform and a SyncShuttle® agent. Using two pairs of keys for each direction SyncShuttle operates with encryption and anti-tampering.

The great feature of SyncShuttle is that it operates via the public or private cloud of your choice, using a transparent router that has no access to your data. Each of the participants only issue outbound calls to the cloud router : your network doesn’t need to have exposed inbound ports and a fixed IP address is not even required.

Anywhere file access (WebGates cloud access)

Base on a simplified version of SyncShuttle®, WebGates concentrates Web access to files located all other the planet from a single Web portal. Servers only run a Webgate agent and do not need a fixed IP address.

Miscellaneous

In order to simplify operations, Confidentializer embeds some handy tools such as Audit Trail management with Hash Chain, Distributed logging, Email sending engine with retry management and templating, single place i18n files for API, web and mobile APPs, WebDAV service, File import management, and more.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.